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(54) Security monitoring apparatus based on access log and method thereof 

(57) A security monitoring apparatus (1. 100, 400, 
500) monitors access to a monitor target (2) from the 
outside, and judges whether new access is normal by 
referring to an access log concerning past access situa- 
tions. Then, if the access is abnormal, the security mon- 
itoring apparatus issues an alarm to a user/manager, 
and executes a lockout process, etc. For example, 
access to a computer on a network is monitored and 
compared with past accesses using criteria such as the 
time of access, name of a file accessed, frequency of 
access to the file, etc. 
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Description 

[0001] The present invention relates to a technol- 
ogy for the security of electronic equipment, and in par- 
ticular relates to a security monitoring apparatus, 
security monitoring method and program storage 
medium for the security of electronic equipment for real- 
izing the maintenance and management of security of 
complicated electronic equipment without burdening a 
user. 

[0002] Conventionally, in order to maintain and 
manage security for access management, etc., of elec- 
tronic equipment, such as a computer, etc., security 
monitoring systems, such as a user management sys- 
tem using a user ID and a password, data leak preven- 
tion systems using cryptography, access control 
systems, authentication systems, etc., have been devel- 
oped. 

[0003] In such a security monitoring system, man- 
agement information about a user, etc., which is set in 
advance (a user ID, a password, etc.) and management 
information which is required for the user to operate an 
apparatus are chiefly collated, and tf they match as 
specified or they are judged as being within an allowed 
scope, the requirement of the user is executed. Namely, 
conventional security management is based on the 
authentication of a user. 

[0004] However, in such a security management 
system based on authentication, such as a user ID, 
password, aocess restriction, etc., of a user, the man- 
agement of an access log, such as one performing a 
check of the access log by a legal user or manager and 
a verification of whether the access has been made by 
the legal user, the manager or another legal user, etc., 
is always required in order to check whether there is an 
illegal access. Such a system has a fundamental weak 
point that, a simple user ID and password are easy to be 
acquired illegally. It also has a problem in that a user 
has to check the access log every time, which is very 
troublesome. Since the log management more or less 
relies on an operator, it takes time to verify the legality of 
an access, and as a result, it also takes time to detect 
the illegality of an access. 

[0005] If some user authentication information 
leaks, it takes a great deal of labor and time to verify 
whether there is an illegal access, and discovery of the 
illegale access is greatly delayed, which is another 
problem. 

[0006] For the above-described reasons, the con- 
ventional security management system based on the 
authentication of a user has no basic security control 
over the leakage of authentication information, or it 
takes a great deal of labor to maintain and manage 
security in the conventional security management sys- 
tem. 

[0007] Since a semi-automatic access, which is an 
access made through a network and in which basically 
there is no user control, as in a mail reception protocol 
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of a mail server, etc., is virtually automatically made with 
a certain kind of special execution priority usually by 
using a specific user name, sufficient attention has to be 
paid to security. However, an illegal user, virus, etc., 

5 often gains access by taking advantage of such a weak 
point in the security system, and the security monitoring 
based on the authentication of a user is basically pow- 
erless against such an access. 
[0008] However, although a security system using 

10 cryptography has a merit in that major information can- 
not be decoded even when data are transmitted through 
a network or when a user gains illegal access to the 
data, it is powerless against an illegal log-in and an ille- 
gal access. 

is [0009] An embodiment of the invention may provide 
a security monitoring system which does not maintain 
nor manage security based on the authentication of a 
user, but performs more powerful maintenance and 
management of security even if the authentication infor- 

20 mation of a user leaks, by monitoring the access situa- 
tion from a user or through a network, detecting an 
abnormal access and issuing an alarm. 
[0010] The present invention comprises a mecha- 
nism for monitoring access to electronic equipment to 

25 be monitored from the outside and issuing an alarm by 
referring to the access log (security management infor- 
mation) concerning past access situations if a new 
access is judged to be abnormal from the access log in 
the past. 

30 [0011] According to the present invention an 
access situation at the time of access, such as an 
access environment, access time, etc., is acquired in 
electronic equipment with an access means from the 
outside, is accumulated there, and an alarm is issued to 

35 a manager or user if the access situation meets a pre- 
determined criterion. The typical access method for 
electronic equipment includes, for example, an inputting 
means, such as a network, a keyboard, a mouse, etc. 
The typical type of accessing electronic equipment 

40 includes, for example, log-in to the equipment, file 
access, an execution command to operate the equip- 
ment, access through a network, etc. 
[001 2] A means for setting criteria for access situa- 
tions according to a frequency of access and a type of 

45 access (write, read, execute, etc.) can also be provided. 
[0013] For example, the mechanism can be config- 
ured in such a way that alarms are issued a certain 
number of times or for a certain time period after the first 
access and may not be issued if the same access is 

so repeated a certain number of times, according to secu- 
rity management information which is obtained from an 
access log in the past. 

[0014] Furthermore, a mechanism for setting how 
an access can be prohibited from being accepted or 
55 allowed to be accepted after issuing an alarm as a result 
of security monitoring if access is received from a cer- 
tain user, can be added. Alternatively, in equipment with 
a security management mechanism using a password, 
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a mechanism for allowing access to be accepted if 
another password is requested after an alarm is issued 
based on the security management information and the 
inputted password is judged to be legal when an access 
from a certain user is received, can be provided. s 
[001 5] Alternatively, the time zones of security man- 
agement information can be statistically processed by 
using a normal distribution, etc., of the access time of a 
user, and the scope for issuing an alarm can be deter- 
mined using the variance of the access time as a base. io 
[001 6] Alternatively, a mechanism for utilizing a plu- 
rality of setting files relating to security management 
information and access restriction information, modify- 
ing a setting file to be used according to the access sit- 
uation of a user, such as elapsed time, the frequency of is 
accesses, etc., and modifying and managing a security i 
level, can be provided in order to manage the security 
level. Thus, for example, when a new user is registered, 
etc., a security check different from that for a legal user 
can be applied to the new user by utilizing an access sit- 20 
uation which is initially set. 

[0017] A program causing a computer to execute 
each of the above-described processes can be stored in 
an appropriate computer-readable storage medium, 
such as a portable medium memory, a semiconductor 25 
memory, a hard disk etc. 

[0018] Reference is made, by way of example, to 
the accompanying drawings in which: 

Fig. 1 explains a principle of the present invention. 30 
Fig. 2 shows a configuration example of the first 
preferred embodiment of the present invention. 
Fig. 3 shows an example of an access log. 
: Fig. 4 shows an example of security management 
information about a user. 35 
Fig. 5 shows an example of security management 
information about a computer. 
Fig. 6 shows an example of the distribution of the 
access time of a certain user. 

Fig. 7 shows an example of access restriction irtfor- 40 
mation. 

Fig. 8 shows an example of access restriction infor- 
mation for a new user. 

Fig. 9 shows an example of an access log which is 
acquired from an access through a network. 45 
Fig. 10 shows an example of the security manage- 
ment information of an access log which is acquired 
from an access through a network. 
Fig. 1 1 shows the summary of the process flow of 
the first preferred embodiment. so 
Fig. 12 shows a configuration example of hardware 
for realizing the present invention in the first pre- 
ferred embodiment. 

Fig. 13 shows a configuration example of the sec- 
ond preferred embodiment of the present invention. 55 
Fig. 14 shows examples of an alarm process set- 
ting. 

Fig. 15 shows examples of an alarm for a user 



which corresponds to each alarm process setting. 
Fig. 16 shows examples of an alarm for a manager 
which corresponds to each alarm process setting. 
Fig. 17 shows the summary of the process flow in 
the second preferred embodiment 
Fig. 18 shows a configuration example of the third 
preferred embodiment of the present invention. 
Fig. 19 shows a case example in which a security 
monitoring apparatus is used as a house-breaking 
monitoring apparatus. 

Fig. 20 shows a case example in which a security 
monitoring apparatus is used as a traffic monitoring 
apparatus. 

Fig. 21 shows the summary of the process flow of 
the third preferred embodiment. 

[0019] Fig. 1 explains a principle of the present 
invention. 

[0020] A security monitoring apparatus 1 embody- 
ing the invention is used together with electronic equip- 
ment 2, and comprises an access monitor unit 10 for 
continually monitoring access situations, such as the 
access environment, access time, etc., at the time of an 
access, and an abnormality alarm unit 20 for issuing an 
alarm and reporting to a manager or a specific user that 
some abnormal access occurs when there is an access 
made that is different from a normal access. It further 
comprises an alarm process unit 30 for executing a pre- 
determined alarm process for temporarily prohibiting 
user access, etc., which is set by an alarm process set- 
ting unit 31, following the issuance of an alarm by the 
abnormality alarm unit 20. Although in Fig. 1 , the elec- 
tronic equipment 2 and the security monitoring appara- 
tus 1 are shown separately, the security monitor 
apparatus 1 can also be incorporated into the electronic 
equipment 2. 

[0021] Specifically, when access is received by the 
electronic equipment 2, the access monitor unit 10 
acquires an access log using an access log acquisition 
unit 11, executes the statistical process of the access 
log using a security management unit 12, and stores the 
obtained result as security management information. 
The access monitor unit 10 detects a difference 
between this access situation and a past access situa- 
tion by comparing the access log acquired by the 
access log acquisition unit 11 with security manage- 
ment information obtained from the access log in the 
past using a security check unit 14, and judges that an 
access gained in a situation different from a normal one 
is an abnormal access, and issues an alarm to the man- 
ager or specific user using the abnormality alarm unit 
20. 

[0022] Alternatively, access restriction which is set 
in advance using an access restriction setting unit 13 
can be taken into consideration when the access log 
and the security management information are com- 
pared using the security check unit 14. If the access log 
of this time violates the set access restriction, the 
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access monitoring apparatus issues an alarm to the 
manager or specific user using the abnormality alarm 
unit 20. Furthermore, the alarm process unit 30 exe- 
cutes alarm processes, such as locking out the user ID, 
prohibiting the user from accessing, requesting a sec- 
ond password, etc., based on a setting by an alarm 
process setting unit 31 . 

[0023] Therefore, even if information for user 
authentication leaks and a user illegally accesses in a 
way or an environment different from that of a legal user, 
access can be judged to have been gained in a situation 
different from a normal access (abnormal) and an alarm 
can be issued. Furthermore, an alarm process which is 
set in advance can be immediately executed, and 
thereby more powerful security can be realized. 
[0024] The preferred embodiments of the present 
invention are described in detail with reference to the 
drawings below. Fundamentally, there is no need for 
user authentication information in the present invention. 
However, in current electronic equipment, such a secu- 
rity management method is general, and in the present 
invention, more powerful security can be secured by uti- 
lizing user authentication information. Therefore, in the 
following description of the preferred embocfiments of 
the present invention, a security monitoring apparatus 
in which a system of the present invention is added to 
the conventional security system based on user authen- 
tication is described. 

[The first preferred embodiment] 

[0025] First, the first preferred embodiment is 
described. Here, a case where access to electronic 
equipment, such as a computer, etc., is monitored is 
described. 

[0026] Fig. 2 shows a configuration example of the 
first preferred embodiment of the present invention. An 
access monitor unit 110 in a security monitoring appa- 
ratus 1 00 monitors access to electronic equipment to be 
monitored, and when an access request is received 
from a user, it judges whether the access request is nor- 
mal. If access is judged to be normal, access monitoring 
is continued as usual. However, if it is judged to be 
abnormal, a report is made to an abnormality alarm unit 
1 20 that access is abnormal, and the abnormality alarm 
unit 120 reports to a specific user or manager through 
an output device 140 that access is abnormal. 
[0027] The access monitor unit 110 comprises an 
access log acquisition unit 1 1 1 for acquiring the access 
log 201 of access to electronic equipment, a security 
management unit 1 1 2 for executing the statistical proc- 
ess of the access log which is acquired by the access 
log acquisition unit 111 and managing the processing 
result as security management information 203. an 
access restriction setting unit 113 for setting access 
restriction information 204 which defines conditions for 
detecting abnormality, and a security check unit 1 14 for 
checking whether access is normal. The security check 



unit 1 14 includes a log comparison unit 1 15 for detect- 
ing an abnormal access by comparing the access log 
201 with the security management information 203, and 
a restriction comparison unit 116 for judging whether 
5 access violates the set access restriction information 
204. 

[0028] The access log acquisition unit 1 1 1 acquires 
the access log 201 . The access method for electronic 
equipment includes access from another electronic 

io equipment through a network, and access to a compu- 
ter from a variety of inputting means, such as a key- 
board, mouse, etc., of which access logs are acquired 
by the access log acquisition unit 111. 
[0029] Fig. 3 shows an example of an acquired 

is access log 201 of access to a computer. For an access 
log 201, information, such as the name of a user, a 
password, the data and time of an access, the name of 
an accessed file, the name of an executed command, 
etc., are acquired and stored. The access log 201 is 

20 transmitted to the security management unit 1 12. 

[0030] The security management unit 112 executes 
the statistical process of the access log 201 which is 
acquired by the access log acquisition unit 111, con- 
verts the access log to security management informa- 

25 tion 203, such as the frequency of access, the time zone 
of access date and time (the beginning time and the end 
time of a period in which access is gained, the day of the 
week on which access is gained, etc.). the name of a file 
accessed in the past, the frequency of access to the file, 

30 the time zone in which the file was accessed, the name 
of an executed command, the frequency of the execu- 
tion of the command, the time zone in which the com- 
mand was executed, etc., for each user, and stores 
obtained information. Alternatively, the access log 201 

35 can be statistically processed for each file or computer, 
and can be stored as security management information 
203. 

[0031] Fig. 4 shows an example of security man- 
agement information about a user, and Fig. 5 shows an 
40 example of security management information about a 
computer. 

[0032] The security management information 203 
about a user shown in Fig. 4 is stored for each user, and 
includes the password of the user, the number of times 

45 a specific computer was accessed, the date and time of 
the first access and previous access and the time 
zones, the date and time of the first access and previous 
access for each accessed file, the number of times each 
file was accessed, the time zone in which each file was 

so accessed, the date and time of the first and previous 
executions for each command, the number of times 
each command was executed, the time zone in which 
each command was executed, the computers which 
gained access, etc. 

55 [0033] The security management information 203 
about a computer shown in Fig. 5 is stored for each 
computer, and includes the registered name of a user, 
the date and time of the first access and previous 



BNSDOCID: <EP 0999490A2_L> 



7 



EP 0 999 490 A2 



8 



access for each accessed file, the number of times each 
file was accessed, the time zone in which each file was 
accessed, the date and time of the first and previous 
executions for each command, the number of times 
each command was executed, the time zone in which 
each command was executed, the date and time of the 
first access and previous access for each computer to 
be accessed or for each computer to gain access, the 
number of times each computer was accessed or each 
computer gained access, the time zone in which each 
computer was accessed or each computer gained 
access, etc. - 

[0034] Concerning the information about a time 
zone, of the security management information 203 
shown in Figs. 4 and 5, the time when a user access or 
another computer access is not determined exactly, as 
between the predetermined beginning and end times, 
and it often slides gradually by repeating an access. 
[0035] For this reason, the security management 
unit 112 manages information about a time zone using 
a method for determining the scope of the time zone 
where access is gained with a statistical process. For 
example, if the distribution of the access time of a cer- 
tain user is assumed to be a normal distribution as 
shown in Fig. 6, the distribution can be indicated by 
using both a mean value m and a variance s. Therefore, 
if a time zone from which a user access is judged to be 
normal is assumed to be a scope of plus/minus 3s, as in 
m ± 3s, an access of about 99.7% of time zones in 
which the user has accessed before can be permitted 
with no conditions. Such statistical information about an 
access is calculated for all accesses without dividing a 
section or by dividing a section of, for example, the past 
one month or one year, if necessary, and the time zone 
in which an access is permitted is set based on the cal- 
culation. If this method is adopted, the access time zone 
of a user automatically changes according to the use 
situation of the user, regardless of its initial setting, thus 
making it convenient 

[0036] A log comparison unit 115 compares the 
access log 201 of this time which is acquired by the 
access acquisition unit 1 1 1 with the access situation of 
security management information 203 which is acquired 
from log information acquired before. The comparison is 
performed for a part or all of the situations which are 
stored as security management information 203. The 
contents to be compared can be set in advance by a 
user or can be determined by a manager. Alternatively, 
modifications can be made according to the desired 
level of security. 

[0037] It is assumed here that the date and time of 
an access, accessed file and executed command of a 
user A are managed for the purpose of security, and the 
information is compared with the acquired access log in 
order to judge whether this access is within the scope of 
the security management information 203. If access is 
within the scope, it is judged to be normal and the next 
process is executed by the restriction comparison unit 



116. 

[0038] For example, if a file which has never been 
accessed before is accessed, rt is judged that access is 
out of the scope of the security management informa- 

5 tion 203 and an instruction to issue an alarm is issued to 
an abnormality alarm unit 120 when the accessed file is 
compared with the security management information 
203. When an executed command is compared with the 
security management information 203, rt is checked 

io whether the command has ever been executed. If the 
command is not recorded in the security management 
information 203, an instruction to issue an alarm is 
issued to the abnormality alarm unit 120. 
[0039] For example, if the access log 201 of the 

15 user A is as shown in Fig. 3 and the security manage- 
ment information 203 as shown in Fig. 4 is stored for the 
user A, the access time is 18:30:34 and within the scope 
of the access time zone 10:00:00-19:00:00 of the secu- 
rity management information 203 as a result of the log 

20 comparison. In this case, the access is judged to be nor- 
mal and it is checked whether the access violates the 
access restriction. 

[0040] However, if the access time of the user A is 
21 :00, it is out of the scope of the security management 
25 information 203, and an instruction to issue an alarm is 
issued from the log comparison unit 115 to the abnor- 
mality alarm unit 120. 

[0041] The restriction comparison unit 116 com- 
pares the access log 201 of this time with the corre- 

30 sponding part of the access restriction information 204 
which is set in advance by the access restriction setting 
unit 113. If as a result, the access log 201 is out of the 
scope of the restriction which is set in the access 
restriction information 204, the restriction comparison 

35 unit 116 judges that the access can be accepted, it 
waits for the next access and no alarm is issued. How- 
ever, if the access log 201 is within the scope of the 
access restriction information 204, the restriction com- 
parison unit 116 judges that it violates the access 

40 restriction, and issues an alarm instruction indicating 
that the access violates the access restriction. 
[0042] The access restriction setting unit 113 sets 
access restriction information 204 for each file and exe- 
cution command, which are used in the restriction com- 

45 parison unit 116. Fig. 7 shows an example of set access 
restriction information. 

[0043] The access restriction information 204 
includes information relating to the number of times of 
access and the scope of the access time where an 

so access to a file or an execution of a command is 
restricted. For example, a scope such as "the number of 
times of access is three or less", "the access time zone 
is a zone other than 9:00:00-18:00:00", etc. is set as an 
access file setting for a specific file for each user. And a 

55 scope such as 'Ihe number of times of executions is -1 
or less", "the execution time zone is a zone other than 
0:00:00-0:00:00", etc. is set as a command execution 
setting for a specific command. Here, the number of 
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times "-1" is used to indicate the infinity. 
[0044] The access management of a user can be 
performed by setting for each user whether each f ile can 
be accessed in the access file setting of the access 
restriction information 204. For example, when access s 
from a genera! user to a manager's file which can be 
accessed only by the manager, is to be restricted, the 
information can be set in such a way that access to the 
manager's file is always prohibited if the access restric- 
tion time to the manager's file is set to the entire time io 
zone (24 hours) such as a zone other than 0:00:00- 
0:00:00. 

[0045] In the same way, access restriction informa- 
tion 204 can be used, for example, when a general user 
is prohibited from executing commands for the system is 
management of a computer. If access to such com- 
mands, of which number of times is less than or equal to 
infinity, is set not to be accepted in the access restriction 
information 204, the execution of the commands for 
management by a general user can be always 20 
restricted. 

[0046] Although in UNIX operating systems, etc., 
access management is performed by modifying a file 
attribute, in this system, the more detailed monitoring of 
file access can be performed based on situations, such 25 
as when a file is accessed, from which location a file is 
accessed, which user accesses a file, whether access 
is normal or abnormal, etc. 

[0047] The abnormality alarm unit 120 includes an 
abnormality alarm receiving unit 121 for receiving from 30 
the access monitor unit 110 a report that access is 
abnormal, and an alarm issuance unit 122 for determin- 
ing what class of alarm to issue when receiving the 
abnormality alarm and actually issuing it. 
[0048] When receiving from the access monitor unit 35 
110 a report that an abnormality has occurred, the 
abnormality alarm receiving unit 121 checks the con- 
tents of the abnormality and determines to whom to 
issue an alarm. The alarm issuance unit 122 issues an 
alarm through the output device 140. The abnormality 40 
alarm unit 120 can be configured in such a way that the 
alarm is stored in a specific file as log information, 
mailed to a system manager, or displayed on a screen 
of a display device. 

[0049] For example, it is assumed that access as 45 
shown in the access log 201 of Fig. 3 is received in a sit- 
uation where security management information 203 as 
shown in Fig. 4 is stored for a user A. It is also assumed 
that for access restriction information 204 for the user A, 
access restriction as shown in Fig. 7 is set. Since the sc 
number of times of access to the file 1ilel.txt" by the 
user A is "22" in the security management information 
203, the number of times of the access in the access log 
201 is out of the scope of "3 or less" in the access 
restriction information 204. However, since its access 5t 
time is "18:30:34" in the access log 201, it is within the 
scope of "a zone other than 9:00:00-18:00:00" in the 
access restriction information 204. Accordingly, an 



alarm signifying that access is abnormal is issued. 
Since the number of times of executions of the com- 
mand "exec.exc" is "62" in the security management 
information 203, the number of times of executions in 
the access log 201 is out of the scope of "3 or less" in 
the access restriction information 204. However, since 
its execution time is "18:32:20" in the access log 201, it 
is within the scope of "a zone other than 9:00:00- 
18:00:00". Accordingly, and in the same way. an alarm 
is issued. 

[0050] A concrete example of the alarm is given 
below. If the access time of the user A is "21 :00:00", it 
differs from the normal access time of the user A. 
Therefore, when the abnormality alarm unit 120 
receives the report from the access monitor unit 110, 
the following alarm is issued from the alarm issuance 
unit 122, basically, to a manager. 
[0051 ] "Alarm: A user A has abnormally logged in at 
21:00:00." 

If the user A has accessed a file which has never been 
accessed before, the following alarm is issued. 
[0052] "Alarm: The user A has accessed a file F 
which has never been accessed before." 
[0053] In a system where user authentication is per- 
formed using both a user ID and a password, it is possi- 
ble that such a situation can occur when the 
authentication information, such as the user ID, pass- 
word, etc., of the user A is stolen. For example, if access 
is received at a time zone other than 10:00:00 to 
19:00:00, which is the normal access time zone of the 
user A, there is a possibility that another user has 
gained access using both the user ID and password of 
the user A. In this case, an alarm that an access is 
received in an abnormal time zone is issued. 
[0054] In a situation where computers are con- 
nected through a network, a certain computer often logs 
into another computer, and vice versa. In this case, if 
information about from which computer each user usu- 
ally accesses, is acquired in advance for each user, an 
alarm indicating that a certain user has gained access 
from a computer other than the usual computer can be 
issued when it is judged that access is made from the 
computer other than the usual computer, since there is 
a possibility that the access is illegally gained by 
another user. Therefore, according to this system, even 
when both the user ID and password of a user are sto- 
len, an alarm that abnormal access is received can be 
issued if an access situation in which a legal user does 
not gain access is detected. Accordingly, more powerful 
security can be guaranteed. 

[0055] In order to simplify the description of the 
security check unit 114 shown in Fig. 2, it has been 
described that the detection of abnormal access by the 
log comparison unit 1 15 and the detection of abnormal 
access based on the access restriction information 204 
by the restriction comparison unit 116 are independ- 
ently performed in the security check unit 1 14. However, 
the security check unit 1 14 is also configured in such a 
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way that the detection of abnormal access by the secu- 
rity check unit 114 is performed in a form where both 
detection by the log comparison unit 1 15 and detection 
by the restriction comparison unit 116 are related. For 
example, the security check unit 114 can be configured 5 
so as to issue an alarm according to the setting of a pre- 
determined setting file only when both the log compari- 
son unit 115 and the restriction comparison unit 116 
detect an abnormality. Alternatively, the security check 
unit 114 can comprises only the log comparison unit 70 
1 1 5 or the restriction comparison unit 116. Alternatively, 
the security check unit 114 can be configured so as to 
determine comparison conditions for the log compari- 
son unit 115 based on access restriction information 

204 or other setting information. 15 
[0056] In the above-described system, since there 

is no access history accumulated in security manage- 
ment information 203 about a user who has never 
gained access, an alarm is always issued to such a 
user. Thus, an alarm is issued for each access a new 20 
user makes, which is annoying from the viewpoint of 
management. For this reason, separate access restric- 
tion information for a new user, which specifies access 
to files and its access time zone considered to be usual, 
is prepared as an initial setting in order that even a new 25 
user can gain access without an alarm being issued. 
Then, such a annoying situation can be avoided. 
[0057] Alternatively, separate access restriction 
information is set in such a way that an alarm is issued 
in the first attempt and not issued when the number of 30 
times of access exceeds a specified number. In this 
case, if access is repeated several times, the number of 
times of access increases, and therefore, an access 
made after the predetermined number of times of 
access is regarded as normal and an alarm is not 35 
issued for the access even when a legal user gains 
access in the normal way. 

[0058] Fig. 8 shows an example of access restric- 
tion information on a new user. 

[0059] Access restriction information for new users 40 

205 is applied to new users and users at a specific 
security level. The security level of a user to whom the 
access restriction information for new users 205 is 
applied is modified to the security level for ordinary 
users after a predetermined period of time has elapsed 45 
or after the number of times of access reaches a prede- 
termined number, such as after a week or after three 
times of access, respectively. In this way, after that limit 
has been reached, access restriction information for 
ordinary users 204, as shown in Fig. 7, is applied so 
instead of access restriction information for new users 
205 as shown in Fig. 8. 

[0060] Although a case where different access 
restriction information is used according to the security 
level of a user, that is, either a security level for new 55 
users or a security level for ordinary users are used, is 
described above, in the same way, a security level can 
be finely classified and access monitoring can be real- 



ized according to its security level by preparing a variety 
of access restriction information corresponding to a 
variety of security levels. 

[0061] Access to electronic equipment includes not 
only access from a user, but also semi-automatic 
access from other equipment in a network. For exam- 
ple, it includes access from a mail server. Since mail 
can activate a certain kind of program in a mail server or 
a computer which receives the mail, it is difficult to guar- 
antee the security of the electronic equipment. In this 
system, security monitoring can also be performed for 
access between computers like this, in which users do 
not interfere. 

[0062] Fig. 9 shows an example of an access log 
which is acquired from access through a network by a 
mail server. The security management unit 112 con- 
verts an access log 206 shown in Fig. 9 to security man- 
agement information 207 shown in Fig. 10, and stores 
the security management information 207. 
[0063] In this case, a log comparison process is 
executed, for example, as follows. The log comparison 
unit 1 15 compares the access log 206 shown in Fig. 9 
with the security management information 207 shown in 
Fig. 10. If the access of the access log 206 is mail from 
an existing sender who is recorded in the security man- 
agement information 207, the mail is received without 
an alarm being issued. However, if the access is mail 
from a sender who is not recorded in the security man- 
agement information 207, the log comparison unit 115 
reports to the abnormality alarm unit 120 that access is 
abnormal, and the abnormality alarm unit 120 issues, 
for example, the following alarm. 
[0064] "Alarm: Mail has been received from an 
unknown user." 

[0065] If such an alarm has been issued to a man- 
ager or addressed user, the manager or addressed user 
can arbitrarily handle the mail by deleting the mail with- 
out reading it, or by reading mail in a computer in which 
a virus will not cause a problem. Accordingly, appropri- 
ate security maintenance and management can be real- 
ized. 

[0066] Fig. 1 1 shows the summary of the process 
flow of the first preferred embodiment. 
[0067] An access log 201 is acquired by the access 
log acquisition unit 111, is converted to security man- 
agement information 203, and is recorded in the secu- 
rity management unit 112 (step S1). Then, the access 
log 201 and the security management information 203 
are compared (step S2), and whether access is normal 
is judged based on whether the contents of the access 
log 201 is within the scope of the security management 
information 203 (step S3). If access is abnormal, the 
flow proceeds to step S6, and an abnormality alarm is 
issued by the abnormality alarm unit 120. If access is 
normal, the access log 201 and the access restriction 
information 204 are further compared by the restriction 
comparison unit 116 (step S4), and it is judged whether 
the access log 201 is within the scope of the access 
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restriction (step S5). If the access log 201 is within the 
scope of the access restriction based on the access 
restriction information 204, an abnormality alarm is 
issued by the abnormality alarm unit 120 (step S6). If 
the access log 201 is out of the scope of the access s 
restriction, the next access is waited for without an 
abnormality alarm being issued. 
[0068] Fig. 1 2 shows a configuration example of the 
most typical hardware for realizing the first preferred 
embodiment of the present invention. In this example, a io 
computer 300 serves both as electronic equipment to 
be monitored and the security monitoring apparatus 
100. The computer 300 monitors both access from a 
network 304 and access to the main body of the compu- 
ter 300 from an input device 301, such as a keyboard, is 
mouse, etc., and an alarm is displayed on a display 302. 
The access log and security management information 
are stored in a storage device 303, such as a hard disk, 
etc., and are read since a comparison is required. Every 
time access is made, the security management informa- 20 
tion is updated, and is stored in the storage device 303. 

[The second preferred embodiment] 

[0069] In this system, although an alarm is issued if 25 
it is judged that access is abnormal, access should be 
permitted if it can be verified that access is being 
attempted from a legal user. From the viewpoint of sys- 
tem operation, it is desirable to be able to determine 
whether access is permitted or prohibited after an alarm 30 
is issued. For this reason, in the second preferred 
embodiment, the system is configured in such a way 
that several procedures of an alarm process can be pre- 
pared and one of them can be selected. 
[0070] Fig. 1 3 shows a configuration example of the 35 
second preferred embodiment of the present invention. 
A security monitoring apparatus 400 shown in Fig. 13 
comprises the same component units as those of the 
security monitoring apparatus 100 shown in Fig. 2, and 
further comprises an alarm process setting unit 41 0 and <o 
an alarm process unit 420. Each of the component 
units, other than both the alarm process setting unit 410 
and the alarm process unit 420 shown in Rg. 13, corre- 
sponds to the component unit of the same reference 
number shown in Fig. 2. However, the alarm issuance 45 
unit 122 in the abnormality alarm unit 120 issues an 
alarm to the alarm process unit 420 instead of output- 
ting an alarm to the output device 140. 
[0071] The alarm process setting unit 410 sets an 
alarm process which is executed after an alarm is sc 
issued, and the alarm process unit 420 executes the 
alarm process according to information which the alarm 
process setting unit 410 sets when receiving the alarm 
from the abnormality alarm unit 120. 
[0072] Fig. 14 shows an example of an alarm proc- si 
ess setting which is set in advance by the alarm process 
setting unit 410. Fig. 15 shows an example of an alarm 
for a user who corresponds to each alarm process set- 



ting. Fig. 16 shows an example of an alarm for a man- 
ager who corresponds to each alarm process setting. 
[0073] If an alarm process setting (1) shown in Fig. 
14 is performed, user access is prohibited after an 
alarm is issued by the alarm process unit 420, and the 
user is locked out. At this time, a message (1) shown in 
Fig. 15, "Access is prohibited. Your user ID is locked out. 
If you want to gain access, please contact a manager." 
is outputted to the user. To the manager, a message (1) 
shown in Fig. 16, There is access which is prohibited. 
A user xxxxx is locked out." is outputted. 
[0074] If alarm process setting (2) shown in Fig. 14 
is performed, user access is prohibited after an alarm is 
issued by the alarm process unit 420. At this time, a 
message (2) shown in Fig. 15 is outputted to the user, 
and a message (2) shown in Fig. 16 is outputted to the 
manager. 

[0075] If the alarm process setting (3) shown in Fig. 
14 is performed, user access is prohibited until the man- 
ager allows user access after an alarm is issued by the 
alarm process unit 420. The user waits for it. At this 
time, a message (3) shown in Fig. 15 is outputted to the 
user, and a message (3) shown in Fig. 16 is outputted to 
the manager. 

[0076] If an alarm process setting (4) shown in Fig. 
14 is performed, the user is requested to enter the sec- 
ond password after an alarm is issued by the alarm 
process unit 420. Only when the second password is 
legal, access is allowed. At this time, a message (4) 
shown in Fig. 15 is outputted to the user, and the mes- 
sage (4) shown in Fig. 16 is outputted to the manager. 
[0077] If an alarm process setting (5) shown in Fig. 
14 is performed, access is permitted, although an alarm 
is issued by the alarm process unit 420. At this time, the 
message (5) shown in Fig. 1 5 is outputted to the user, 
and the message (5) shown in Fig. 1 6 is outputted to the 
manager. 

[0078] If the alarm process setting (6) shown in Fig. 
14 is performed, an alarm is not issued and access con- 
tinues to be permitted as usual. This is the same situa- 
tion as "without security", and no alarm message is 
outputted to both the user and the manager. 
[0079] The system can also be configured in such a 
way that, out of the two messages set corresponding to 
each of the above-described alarm process settings, 
the message to a manager is outputted and no mes- 
sage is outputted to a user. Alternatively, it can be con- 
figured in such a way that no message is outputted to 
both a user and manager. 

[0080] Fig. 17 shows the summary of the process 
flow in the second preferred embodiment. 
[0081 ] An access log 201 is acquired by the access 
log acquisition unit 111, is converted to security man- 
agement information 203 and is stored in the security 
management unit 1 12 (step S21). Then, the access log 
201 and the security management information 203 are 
compared by the log comparison unit 115 (step S22), 
and whether access is normal is judged from whether 
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the contents of the access log 201 is within the scope of 
the security management information 203 (step S23). If 
access is abnormal, the flow proceeds to step S26, and 
the alarm process of access by the alarm process unit 
420 is performed through the abnormality alarm unit 
120. If it is normal, the access log 201 and the access 
restriction information 204 are further compared by the 
restriction comparison unit 116 (step S24), and it is 
judged whether access log 201 is within the scope of 
the access restriction (step S25). If the access log 201 
is within the scope of the access restriction based on 
the access restriction information 204, the flow pro- 
ceeds to step S26. H it is out of the scope of the access 
restriction, the next access is waited for and no alarm 
process is executed. 

[0082] In step S26, the messages shown in Figs. 1 5 
and 16 are outputted according to an alarm process set- 
ting which is set in advance by the alarm process setting 
unit 41 0, and the alarm process shown in Fig. 14 is exe- 
cuted. 

[The third preferred embodiment] 

[0083] Although in the first and second preferred 
embodiments, an example of access to a computer is 
described, this system can be basically applied to all 
equipment which requires any monitoring, such as the 
monitoring of home security, the monitoring of prank 
calls, traffic monitoring, parking monitoring, etc. 
[0084] Fig. 1 8 shows a conf iguration example of the 
third preferred embodiment of the present invention. A 
security monitoring apparatus 500 comprises a camera 
monitor unit 510, an abnormality alarm unit 520, a mon- 
itor camera unit 530 and a display 540. 
[00851 The monitor camera unit 530 corresponds to 
the inputting means of a computer described in the pre- 
vious preferred embodiments. The camera monitor unit 
510, abnormality alarm unit 520 and display 540 corre- 
spond to the access monitor unit 10, abnormality alarm 
unit 20 and output device 40, respectively. 
[0086] Fig. 1 9 shows an example in which the secu- 
rity monitoring apparatus shown in Fig. 18 is used as a 
home security monitoring apparatus. For home security 
monitoring, information, such as the hours at which fam- 
ily members return home, the number of family mem- 
bers, the photograph images of the faces of family 
members, if possible, etc., are obtained in advance, and 
when a person other than a family member visits home, 
etc., an alarm is issued. 

[0087] Specifically, the visit time, the number of vis- 
itors, image information such as the photographs of the 
faces of visitors, if possible, etc., are obtained by a 
image/voice input unit 51 1 through the monitor camera 
unit 530, its feature information is extracted, and it is 
stored in a image/voice log management unit 512. 
Then, the information is compared with information 
about visitors, etc., that have entered before, which are 
stored in a image/voice management unit 512, by a 
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image/voice comparison unit 51 5. If it is judged that the 
visit is abnormal, an alarm message is displayed on the 
display 540 or an alarm is issued using a buzzer, etc., by 
the abnormality alarm unit 520. Furthermore, it can also 

5 be checked by a restriction comparison unit 516 
whether the visit is made by a prohibited visitor or during 
prohibited visiting hours, based on preset access 
restriction information, and an alarm can be issued. 
Although an example in which an image is inputted is 

10 described, voice information which is inputted from a 
microphone can also be used for this security check. 
[0088] Fig. 20 shows an example in which the secu- 
rity monitoring apparatus shown in Fig. 18 is used as a 
traffic monitoring apparatus. In traffic monitoring, for 

15 example, information about a car which passes through 
a certain point, such as an intersection, etc., such as the 
license number, model, driver, etc., of the car, is 
obtained, and when a car other than specified cars 
passes through the point, an alarm is issued. 

20 [0089] Specifically, information about a car passing 
through a certain point, such as the license number, 
model, driver, etc., of the car is acquired by a 
image/voice input unit 51 1 through the monitor camera 
unit 530, and stored in the image/voice log manage- 
rs merit unit 512. Then, the information is compared with 
information about cars, etc., that have passed through 
before, which is stored in the image/voice log manage- 
ment unit 512. by the image/voice comparison unit 515. 
If the car is judged to be abnormal, an alarm message 

30 is displayed on the display 540 or an alarm is issued 
using a buzzer, etc., by the abnormality alarm unit 520. 
Furthermore, it can also be checked by a restriction 
comparison unit 516 whether the car or driver is one of 
the prohibited cars or drivers, based on preset access 

35 restriction information, and an alarm can be issued. 
[0090] Fig. 21 shows the summary of the process 
flow of the third preferred embodiment. 
[0091] Image/voice information is inputted from the 
monitor camera unit 530, and is stored in the 

40 image/voice log management unit 512 (step S31). The 
image/voice comparison unit 515 compares the input- 
ted image/voice information with the image/voice log 
management information which is stored in the 
image/voice log management unit 512 (step S32). The 

45 image/voice comparison unit 515 judges whether there 
is any information matching the inputted image/voice 
information among the image/voice log management 
information (step S33), and if there is no matched infor- 
mation in the image/voice log management information. 

so an alarm is issued by the abnormality alarm unit 520 
(step S36). If there is some matched information in the 
image/voice log management information, the informa- 
tion is further compared with access restriction informa- 
tion by the restriction comparison unit 516 (step S34), 

55 and it is judged whether the image/voice information is 
within the scope of the access restriction information 
(step S35). If the image/voice information is within the 
scope of the access restriction information, an alarm is 



BNSDOCID: <EP 0999490A2J_> 



17 



EP0 999 490 A2 



18 



issued by the abnormality alarm unit 520 (step S36). 
[0092] As described above, according to this sys- 
tem the following operations are realized. 

1) Security management information can be stored 
according to the type of access; 

2) Arbitrary criteria which are used in a log compar- 
ison process can be set according to the frequency 
of access and the type of access (write, read, exe- 
cute, etc.); 

3) Prohibition against access can be set by setting 
the access designation period of access restriction 
information to infinite; 

4) In order to manage a security level, a plurality of 
security management information files can be pre- 
pared, the security management information file 
which is used is changed according to the access 
time passage, such as elapsed time, the frequency 
of access, etc., of a user, and the security level can 
be modified and managed; and 

5) After an alarm is issued, an alarm process 
regarding how access can be permitted, etc., can 
be set. 

[0093] Accordingly, more powerful and appropriate 
security management can be realized. The present 
invention can also be applied to monitoring of illegal use 
of a credit card and access monitoring of an automatic 
teller machine of financial institutions. 
[0094] As described above, according to the 
present invention, the situation of access from a user or 
through a network can be monitored regardless of the 
security maintenance and management system which 
is based on user authentication. Even if the authentica- 
tion information of a user leaks, illegal accesses can be 
detected by checking whether access is abnormal, that 
is, different from a normal situation. Accordingly, power- 
ful maintenance and management of security can be 
realized. 

Claims 



claim 1 , further comprising 

abnormality alarming means (20, 120) for issu- 
ing an alarm if the current access is different 
5 from the normal access. 

3. The security monitoring apparatus according to 
daim 1 or 2, wherein 

w said security checking means compares an 

access log of the current access with the secu- 
rity management information, and judging that 
the current access is different from the normal 
access if a current access situation is not 

75 included in a scope of past access situations. 

4. The security monitoring apparatus according to 
claim 1, 2, or 3, further comprising 

20 access restriction setting means (13, 113) for 

setting access restriction which defines a con- 
dition for an access situation to be judged to be 
abnormal, wherein said security checking 
means judges whether the current access is 

25 different from the normal access, based on the 

access restriction which is set by said access 
restriction setting means. 

5. The security monitoring apparatus according to 
30 claim 4, wherein 

said access restriction setting means stores a 
plurality of pieces of setting information corre- 
sponding to a plurality of security levels, and 
35 said security checking means selectively uses 

setting information according to a security level 
which is changed according to an access situa- 
tion. 

40 6. The security monitoring apparatus according to any 
preceding claim, further comprising 



1. A security monitoring apparatus (1, 100, 400) for 
monitoring access to electronic equipment (2) from 
outside, comprising: 45 

access log acquiring means (11, 111) for 
acquiring an access log concerning an access 
situation at a time of access; 
security managing means (12, 112) for accu- so 
mulating and managing an acquired access log 
as security management information; and 
security checking means (14, 1 14) for checking 
whether current access is different from a nor- 
mal access, based on the security manage- ss 
ment information. 

2. The security monitoring apparatus according to 



alarm processing means (30, 420) for request- 
ing a user to input password information if said 
security checking means judges that the cur- 
rent access is different from the normal access, 
and permitting access if inputted password 
information is judged to be correct. 

7. The security monitoring apparatus according to any 
of claims 1 to 5, further comprising: 

alarm process setting means (31, 410) for set- 
ting how to process the current access when 
said security checking means judges that the 
current access is different from the normal 
access; and 

alarm processing means (30, 420) for execut- 
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ing an alarm process based on setting informa- 
tion which is set by the alarm process setting 
means. 

8. The security monitoring apparatus according to any 
preceding claim, wherein 

the security management information which is 
managed by said security managing means 
includes information about an access time 
zone obtained through a statistical process on 
access times of a user; and 
said security checking means judges that an 
access which is received out ol the access time 
zone of the security management information 
is abnormal. 

9. The security monitoring apparatus according to any 
preceding claim, wherein 

the current access corresponds to one of an 
input from a computer input device, logging-in 
to equipment, file access, an execution com- 
mand to operate equipment and access 
through a network 

10. A security monitoring apparatus (500) for monitor- 
ing an input from an input device (530) for monitor- 
ing, comprising: 

image inputting means (511) for inputting 
image information from the input device for 
monitoring; 

image log managing means (512) for accumu- 
lating and managing log information of inputted 
image information as security management 
information; 

security checking means (514) for checking 
whether current image information is different 
from normal image information, based on said 
security management information; and 
abnormality alarming means (520) for issuing 
an alarm if the current image information is dif- 
ferent from the normal image information. 

1 1 . A security monitoring apparatus (500) for monitor- 
ing an input from an input device (530) for monitor- 
ing, comprising: 

voice inputting means (511) for inputting voice 
information from the input device for monitor- 
ing; 

voice log managing means (512) for accumu- 
lating and managing log information of inputted 
voice information as security management 
information; 

security checking means (514) for checking 
whether current voice information is different 



from normal voice information, based on said 
security management information; and 
abnormality alarming means (520) for issuing 
an alarm if the current voice information is dif- 
5 fererrt from normal voice information. 

12. A security monitoring method for monitoring access 
to electronic equipment (2) from outside, compris- 
ing the steps of: 

10 

acquiring an access log concerning an access 

situation at a time of access; 

accumulating and managing an acquired 

access log as security management informa- 
15 tion; 

checking whether current access is different 

from a normal access, based on said security 

management information; and 

issuing an alarm if the current access is differ- 
20 ent from the normal access. 

13. A program for causing a computer (300) to monitor 
access to electric equipment (2) from outside, said 
program comprising the steps of: 

25 

acquiring an access log concerning an access 
situation at a time of access; 
accumulating and managing an acquired 
access log as security management informa- 
30 tion; and 

checking whether current access is different 
from a normal access, based on said security 
management information. 

35 14. A computer-readable storage medium (303) on 
which is recorded a program according to claim 13. 
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ACCESS LOG OF user A 201 



NAME OF USER : userA 
PASSWORD: paswdW$123 
DATE OF ACCESS: 1998/8/25 18:30:34 
NAME OF ACCESSED RLE : filel.txt 1998/8/25 18:32:34 

fiie2.txt 1998/8/25 18:33:20 

NAME OF EXECUTED COMMAND: exec.exe: 1998/8/25 18:32:20 



F I G. 3 



14 



EP0 999 490 A2 



CM W 



g 
< 



cr 
o 



2 

LU 

2 

LU 

a 
< 



cr 

Z> 

o 

LU 
CO 



o 
o 
o 
o 
an 

T 
o 
o 
o 
o 



O 

M 
UJ 
2 



CD 

csi 

CD 



CO 



CO 

z> 

O 

> 
LU 

cr 

CL 

"^r 
co 
o 

CO 

o 

CM 



CO l " 
CM ^ 
CO 



co 

CM 



* r O 

CO CO o 

O CM CO 

*? 6S 

r*. r*- 

T T O 

o o o 

O O o 

o o o 

p O o 

cm o — 

T. 7". iii 

LU UJ 2 

2 2 O 

O O N 

M rsj m 



- . CM 
CM CM CD 

CM . . 

. . . . to 

CO 00 UJ 
UJ UJ T> 

^ »- LU 
u- u_ o 

° ° or 
cr tr uj 

LU LU CD 

CO £D 5 

2 2 3 

3 3 2 

z 2 : 

. . o 
tt w 

CO CO cvi 
O CM CO 
CO CO co 



tO lO CM 

CM CM \ 

\ \ CO 

CD CD \ 
S, CO 

CO CO G) 

Oi o» CJ> 

OJ O) ^~ 

T! 7! co 
co co r> 
=> => o 
oo> 

> > UJ 

lu uj a: 

CC LT £L 

D. CL - 

xr tj- co 

CO CO 
CM CM CO 
CO CO o 
CM O — 

*~ o 

in o co 

cm co \ 

\ \ co 



CO 

o 

CO 



§1 
§1 

o 2 



Hi 



s s 

CO ~ 

£3 co 

^ UJ 

1 S 



5fe 



CD 



GO 



il 



CM 
CM 



CZk 



CO 



« 

S-5 



5 V/J 
> UJ 

CD «C 



or 

UJ 

!§° 

o o cr 

0 > UJ 

uj co g 
2 co 2 
< < 3 

ZCLZ 



CO 
CO 

UJ UJ 

o =J 

O LL. 

<Q 
U- LU 

O 6/3 

Ui<2 

2 o 

°! 

< o 

UJ LU 

< < 

Q Z 



r-.r-.cn 
C7) on 05 
C3> Oi *- 



r— r— CO 

co <o or 

£ cr £ 

U_ U_ - - 

- ■ • . © 

-»-» ^ x 

X X a> 

.*-» . 

— cm' S 

O (D S 



CO 

o O 

S2 



1 s ^ 
lis 

o • • 7! 



Q co 



LU 

I— 

O 
UJ 
X 
LU 



CO 



S cr 



e 

o 
o 



CO 
CO 

UJ CO 

a q. 

O E 

< 8 

|CM 

OS 

tr a 
£r o 

3 o 

o. 

o 
o 



15 

BNSDOCID: <EP _0999490A2_I. > 



EP 0 999 490 A2 



CO 

o 



O 

I— 
< 

GC 
O 



LU 

LU 
U 
< 



cr 
o 

LU 

CO 



CM '• - 



CD 

_ © 
CD to 

CL 3 

i< 

o £ 

- - V) 
LU " 

tr 

-J LU 

a. co 
O o 

O LU 

LU CO 

5 5 
< LU 

2 tr 



^ ^3- n 

CO CO q 

O csi co 
in 

r*» r- *— 

T T O 
O O O 
O O o 

o o o 
o p o 
cm O — 

7! T. Lti 

U11L12 

Z 2 O 
O O M 
NN^ 
UJ UJ ^ 

•n 

CM — 

. CO 
CO CO LU 
UJ UJ 3 



«- »- LU 
U_ Ll_ O 

00 cr 
cr tr lu 

LU LU CO 

CD CD 2 
2 2 o 

r> => 2 
2 _ Z .o 

CO CO 
OWN 
CO CO i/i 



lO tO CM 
CM CM \ 



oo oo o> 
o co CJ> 
CO CT> 

T. 7 W 

co co r> 
r> 3 o 

OOr 
> > Lu 
LU LU cr 

cr tr cl 

C°. ^ Cvj 
CM CM CO 

CO P> Q 

oid- 
to O co 

CM CO \ 
W to 
CO CO \ 
\ \ CO 

hi r- f** oj 

^ O) o> O) 

si cr* o> 

Q h t- to 
lu co co cr 

QJ LL. LL, - - 
w X 

fe • 3 s 

LU 
< 

2 



ii 



LU 



LU 

fM H 

UJ uj 

1 2 



1^ LU 



oo 
cr a: 

II 

~5 



^ CO 

1° 



is® 

o ^ T 
Sf S cr 

5 lt 

o ** *• 

LU 5 © 

u 6 % 

. Lu © fc 

. o x ° 
. u o o 

LU 

2 



O « 

o o 

CO P. 

^— Ol 
I 

o t 

o o 
o P 
o o 

lO © 

«n 

LU 7 

2 UJ 

o 21 

LU 



CM 

CM 

in tt 

. . in 



°o 

CE ~ 

LLt CC 
OQ Ol 

Ij 

o - 

CM O 
CM <?. 
CO CM 



N co 

CO \ 
CD CO 



3* 

O ^ 

>8 

LU > 

cr "J 

CO CO 
CM ^ 
CM CM 

in 

m 

o 

CO CO CO 
CO \ 
LU CO TT 

o ^ V - 
LJ cn co 

< O CA 

2 T. 7. 
*~p H- V— 

0 LU LU 

„ ~ cm 

01 a. o. 

.too 
. ID o o 
CL 

o 

o 



XT ^ 

CO CO 

o o 

O CO ^ 

P* CM 3Z* 

— CM O 
I I P 

o o co 

O O i 

© o o 

OOP 

2 2 § 

. . 

LU LU . . 

Z Z UJ 

ooz 

N N O 
LU LU ^ 



m co co 

. . . . CO 

CO CO 

LU UJ CO 

1 ? ^ 
LL LL 

O O lu 

tree 0 
lu uj cr 

CD CD UJ 

2 2 g 

3 3 1 

2 2 3 

oo 2 . 

CM CM O 
CM CM CM 
CO CO CM 

in cb co 
— ^ ob 
O m r- 

CM CM CM 

\ s \ 

OO OO GO 

\ \ --v 
oo oo oo 
o cd cn 



CO CO CO 
3 3 r> 
O O O 

> > > 
LU LU LU 

cr cr cr 
o_ Q- a 

^ to* 
co m 

CM CM 
CO CO 

o co 



CO 
CM 
CO 



O o 

LU CO 

CO ^ 

co 



o 

CM 



m co 



in 

CO 



O 
O 

LU I- I- Jo 

CD CO CO rr 
O — — E 

c: lu u_ . 

^ . - • • CM 

rr <^ cm ± 

g til ! 

~5 O O CD © 
O O « » 

O 

o 



16 

3NSDCX:iD: <EP 0999490A2_I_> 



EP 0 999 490 A2 



— T~l 1 — 


NUMBER OF TIMES 


— 3s —2s — s 


i r~ — 

[ s 2s 3 s 


MEAN VALUE m \ 




VARIANCE s 


FIG 


. 6 



17 



EP0 999 490 A2 



< 

cr 
o 

LL 



g 

cr 
h- 

co 

LU 
IT 

CO 
CO 

uj 

o 
o 
< 



o 

o o 

<=> o 

o o 

P dd 

CO — 

"~ I 

1 o 

o o 

P o 

o o 

P o 

o> *— 

< < 

X X 



or cr 

LL) LU 

X X 

o o 

LU LU 

O O 

M M 

LU LU 

2 S 



CO co~ © 

C/5 W 9 

LU LU O 

—1 —I 

cr cr 5 

o o ^ 

CO CO J— 

oo co cr 

LU LU LU 



O 

o 
o 



o 

O 

o 
o 
cn 



cr 

LU 



cr 



o 

M 
LU 
2 



LU 

O 



CO 



O ° 

« 7 

2 !— : 



O 
Lu 



I- I- O P U- U. 

ui O o 



.. o o ^ 

03 — CD CD 
^ (/) Z Z h 

lu lu " jj :: 

CO ' ^ ^ 

3 
u_ 
O 

LU 



=J X X X 

rr +* *• 



£ c _ <n 

C C C *5 



00 c c 

§il 

O 2 2 

LU .... 
LU X £ 

9 31 

x E 
o> u 



O 
O 



3NSDOCID: <EP O999490A2J. 



18 



EP0 999 490 A2 



to 

cvj w 



2: 
o 



cr 

o 5 



E< 
1— cr 

LU u_ 

or ^ 

c/> 
cn 

LU 

O 
O 
< 



o o 
o o 
o 0 



i 1 

O O 
9 o 

o o 
<=> o 
cr> cr> 

z z 
< < 

X X 

h- »- 

or or 

LU LU 

X X 

o o 



1§ 

2 o 



LU 



UJ 



LU LU _ 
Z Z g 

0 0 s 



LU 

z 



LU LU 

2 2 



CO to 
V) CO 



o 
o 



cc cc 5 
005 

O O J— 

GO 00 CT 
LU LU UJ 

225 



fsl 

UJ 

<=> 7 



o 
o cr 
z "J 

5 ^ CO 

. - uj 3 
^ 00 z 

m uj * 
co - 
3 CL 



O f~ £ 
we 

Z3 ±= O z 

Z I— LU - . 
• • • * X 5) 
.♦"*•*-» LU x 



— f x X X 

rr *• *? 



3 . Q 
w <o Z 



O as i3 JH i= 

LU 

< 
z 



£ 



O 

O 



BNSDOC1D: <EP_____0999490A2_I_> 



19 



EP 0 999 490 A2 



ACCESS LOG THROUGH NETWORK 2 06 

; l_ 

NAME OF COMPUTER REQUESTING TO BE CONNECTED : mailserverl 
MAIL ADDRESS : userA 
SENDER OF MAIL : senderX 

NAME OF COMPUTER WHICH IS PASSED THROUGH : maiisen/2, mailserv3 
DATE AND TIME OF RECEPTION OF MAIL : 1998/3/20 14:22:36 
USED PROTOCOL : smtp 
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SECURITY MANAGEMENT INFORMATION 2 07 

S 

NAME OF COMPUTER REQUESTING TO BE CONNECTEO : mailserverl . mailserv2, ... 
MAIL ADDRESS : userA, userB. 
SENDER OF MAIL : senderX. sendcrY. senderZ. ... 

NAME OF COMPUTER WHICH IS PASSED THROUGH : mailserv2. mailserv3 
DATE AND TIME OF RECEPTION OF MAIL : 1998/3/20 14:22:36 
USED PROTOCOL : smtp. ... 
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EXAMPLE OF ALARM PROCESS SETTING 



(1) 


ISSUES AN ALARM. PROHIBITS AN ACCESS. AND LOCKS 
OUT THE USER 


(2) 


ISSUES AN ALARM AND PROHIBITS AN ACCESS. 


(3) 


ISSUES AN ALARM AND PROHIBITS AN ACCESS UNTIL A 
MANAGER ALLOWS IT. A USER WAITS UNTIL THEN. 


(4) 


ISSUES AN ALARM, REQUEST A USER TO ENTER THE 
SECOND PASSWORD. ONLY WHEN IT IS JUDGED TO BE 
LEGAL IS ACCESS ALLOWED. 


(5) 


ONLY ISSUES AN ALARM AND ACCESS IS PERMITTED. 


(6) 


ACCESS IS PERMITTED AS USUAL 



FIG. 14 
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EXAMPLE OF ALARM FOR A USER 



(1) 


ACCESS IS PROHIBITED. YOUR USER ID IS LOCKED 
OUT. IF YOU WANT TO GAIN ACCESS. PLEASE 
CONTACT A MANAGER. 


(2) 


ACCESS IS PROHIBITED. 


(3) 


ACCESS IS RESTRICTED. PLEASE WAIT UNTIL A 
MANAGER ALLOWS ACCESS. 


(4) 


ACCESS IS RESTRICTED. PLEASE ENTER THE SECOND 
PASSWORD. 


(5) 


ALTHOUGH ACCESS IS ABNORMAL, ACCESS IS 
ALLOWED. 


(6) 


NO ALARM 
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EXAMPLE OF ALARM FOR A MANAGER 



(1) 


THERE IS ACCESS WHICH IS PROHIBITED. A USER 
XXXXX IS LOCKED OUT. 


(2) 


THERE IS ACCESS WHICH IS PROHIBITED. THE USER: 
OOOOO 


(3) 


THERE IS ACCESS WHICH IS RESTRICTED. SHOULD 
ACCESS BE ALLOWED? 


(4) 


THERE IS ACCESS WHICH IS RESTRICTED. THE 
SECOND PASSWORD IS REQUESTED. 


(5) 


THERE IS ACCESS WHICH IS RESTRICTED. 


(6) 


NO ALARM 



FIG. 16 
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